Asterisk security through geographic IP address restriction

Page Contents

There are many approaches to implementing security in Asterisk (see Asterisk security ), but for some system administrators it becomes a headache when certain users roam with a softphone or VoIP adapter and expect to be able to connect to the "home" Asterisk system from wherever they might be. Unless the user is connecting through a VPN, it may be impossible to know in advance what IP address they will be connecting from. This means you cannot preemptively set permit and deny settings, to only allow connections from an "approved" IP address. In general this is known as "geofencing"

While enforcing strong passwords can be very helpful in this situation, and the use of a separate Asterisk intrusion detection/prevention system is essential, additional security can be imposed through the use of geographic blocking. For example, if your users never travel outside their home country, then any connection from an IP address located outside the country would be considered extremely suspicious, even if the correct password is presented. Therefore, system administrators may want to consider automatically blocking connections from outside an "approved" area.

The purpose of this page is to list any scripts, software, or other mechanisms that attempt to enhance Asterisk security through the use of selective geographic blocking.

Available Software and Scripts

SecAst from www.telium.ca is a product which can restrict Asterisk use based on on the geographic location of a source IP address. It allows you to restrict access by continent / country / region / city. SecAst maintains it's own IP filtering rules so it does not fill iptables with a massive amount of rules (which most solutions do), nor slow your network traffic by inspecting every packet and comparing to a database. Instead, SecAst works with asterisk and only blocks source IP's when they attempt to connect to Asterisk, and only if they match the geographic filters. SecAst contains a worldwide database of IP addresses including both IPv4 and IPv6 addresses. This geofencing feature is only one of the many features of SecAst, a broader intrusion detection and prevention system. SecAst is a commercial security product but there is also a free edition available for download. For more information visit th SecAst wiki page: SecAst (Asterisk Intrusion Detection and Prevention)

Geolock is a simple experimental Perl script that can be set up as a cron job to run once per minute. It does the equivalent of a "sip show peers" or "iax2 show peers" command from the Asterisk CLI, examines the IP address of each non-local connected extension, and uses a Perl module and geographic database to determine where that IP address is located. If the connection is coming from outside the home country (the US by default, but that is easily changed), then an IPtables rule is created that drops connections from that IP address. The extension itself is not banned, so the valid user should still be able to connect from within the "approved" geographic area.